Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: PHP 5.2.3 released SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
PHP 5.2.3 released

PHP released PHP version 5.2.3.

From the release notes following security improvements have been made:

  • Fixed an integer overflow inside chunk_split() (CVE-2007-2872)
  • Fixed possible infinite loop in imagecreatefrompng. (CVE-2007-2756)
  • Fixed ext/filter Email Validation Vulnerability (CVE-2007-1900)
  • Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath ())
  • Improved fix for CVE-2007-1887 to work with non-bundled sqlite2 lib.
  • Added mysql_set_charset() to allow runtime altering of connection encoding.

Take care with the fixes not listed as security related as there seem to be at least a few of them that are interesting from either a security application point of view, or just from an availability point of view. E.g.:

  • Fixed bug #41353 (crash in openssl_pkcs12_read() on invalid input)
  • Fixed bug #41347 (checkdnsrr() segfaults on empty hostname)

If you are on the 5.2 branch best to upgrade ASAP to 5.2.3 .

While recompiling and testing PHP, consider adding in Suhosin from the hardened PHP project, it'll improve your security stance.

Swa Frantzen -- NET2S


760 Posts
Jun 1st 2007

Sign Up for Free or Log In to start participating in the conversation!